Automation

A powerful low-to-no-code approach that allows your SOC to start automating complex tasks on day one.

Contact sales

Installable workflows

View all

These are additional workflows that you can choose to install from Cisco, its partners, and the Cisco XDR community. These are not installed by default and offer additional use cases beyond the workflows built into Cisco XDR. More information about installable workflows can be found in the Cisco XDR product documentation.

C
Check Point Quantum Smart-1 - Add IP Address to Network Group
Cisco Managed
This workflow appears in the pivot menu and allows you to add an IP address to a network group in Check Point Quantum Smart-1.
Pivot Menu
Learn more
Logo for Cisco Duo
Cisco Duo - Add User to Group
Cisco Managed
This workflow appears in the pivot menu and allows you to add a user to a group in Cisco Duo.
Pivot Menu
Learn more
H
HappyFox - Create Ticket for New Incident
Community
This workflow is designed to create a helpdesk case in HappyFox.
Incident Response
Learn more
Logo for Microsoft Defender for Endpoint GCC
Microsoft Defender for Endpoint GCC - Isolate Machine
Cisco Managed
This workflow appears in the pivot menu and allows a user to isolate a machine in Microsoft Defender for Endpoint GCC.
Pivot Menu
Learn more
Logo for Microsoft Entra ID
Microsoft Entra ID - Disable Users
Cisco Managed
This incident response workflow allows you to disable one or more users in Microsoft Entra ID from a playbook.
Incident Response
Learn more

Built-in workflows

View all

Workflows typically achieve an end-to-end use case. For example, fetching information from an incident, identifying endpoints to isolate, and requesting isolation for each endpoint. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome by taking one or more smaller steps. The workflows listed here are built into Cisco XDR and do not require installation or, in most cases, configuration. More information about workflows can be found in the Cisco XDR product documentation.

XDR - Close and Export Incident
Cisco Managed
This workflow is designed to be executed when an incident is resolved and ready to be closed.
Learn more
XDR - Contain Incident: Users
Cisco Managed
This workflow consumes one or more usernames or email addresses and attempts to lock out or disable matching users in all supported products.
Learn more
XDR - Delete Email Messages
Cisco Managed
This workflow consumes one or more email message IDs and attempts to delete matching messages in all supported products.
Learn more
XDR - Restore Systems
Cisco Managed
This workflow consumes one or more hostnames and attempts to un-isolate matching endpoints in all supported products.
Learn more
XDR - Restore URLs
Cisco Managed
This workflow consumes one or more URLs and attempts to restore them.
Learn more

Built-in actions

View all

Also known as atomic actions, these are small, reusable components you can use when building a workflow. Cisco XDR comes with over 500 actions built in for various products and capabilities or you can build your own. If you're familiar with software development, think of a workflow as a script that achieves an end-to-end outcome and an action as a function within the script. Actions usually do perform a specific, single task like creating a ticket or sending an instant message. More information about built-in actions can be found in the Cisco XDR product documentation.